locked
Approve for removal not working RRS feed

  • Question

  • I have been tasked with cleaning up C drive space on our servers and one of the recommendations was to remove windows updates that have been superseded. 

    To test this I set one update as "Approved for removal" and set a deadline of Saturday at 10:15am. 

    I checked the server this morning and the update is still installed. 

    The server is set to download and install updates every day at 3pm.

    Any guidance would be appreciated.

    Monday, October 29, 2018 1:25 PM

All replies

  • You're going about it the wrong way. If you're talking about just cleaning up the server that has WSUS installed, you'd have to do this from the WSUS console. If you're talking about cleaning up the space of other systems non-wsus related, it's not as easy.

    First, let's look from the WSUS Side - See part 8 of my blog series on How to Setup, Manage, and Maintain WSUS (https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/)

    Second, let's look from the client side (servers and desktop clients alike).

    Emin Atac, a PowerShell MVP, wrote a sweet function called Get-MSIZapInfo (https://p0w3rsh3ll.wordpress.com/2012/01/05/get-msi-packages-information-from-the-registry/).

    Copy the file to the local system (C:\Temp\Get-MSIZapInfo.ps1) Start PowerShell using Run as administrator

    Set-ExecutionPolicy Bypass
    . C:\Temp\Get-MSIZapInfo.ps1
    $(Get-MSIZapInfo -ShowSupersededPatches).LocalPackage | Remove-Item -Force -ErrorAction SilentlyContinue
    Set-ExecutionPolicy -ExecutionPolicy "Restricted" -Scope Process -Confirm:$false
    Set-ExecutionPolicy -ExecutionPolicy "Restricted" -Scope LocalMachine -Confirm:$false


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, October 29, 2018 5:02 PM
  • This is purely from the client side.

    The script appears to be geared towards windows 7 and XP so I'm not going to run it on my servers.

    What would be great is if when an update is approved for removal it is actually removed.


    Monday, October 29, 2018 5:41 PM
  • The script is not geared towards 7 and XP. It's actually geared towards ALL versions of windows - past and present as Microsoft has not changed the way that the MSI's get stored in C:\Windows\Installer for a long long time. I run these commands on my server without issue. And the first time I cleaned up over 60 GB on my RDS Server (mostly office updates)


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, October 29, 2018 7:58 PM
  • This is purely from the client side.

    ……

    What would be great is if when an update is approved for removal it is actually removed.

    'Approve for Removal', doesn't make sense, for 'cleaning up superseded updates'...
    That's not what it's for.

    Approve for Removal, is only relevant where you have Approved for Install, and you then (soon after) discover that you don't want to have that approved update on your targets after all. (eg it causes an undesirable regression or other negative impact to you)
    So, Approve for Removal, causes that update to be uninstalled (removed) from your targets.

    Supersedence, occurs at a much later juncture (typically), and the superseding update entirely and completely replaces the earlier superseded update. Typically this involves replacing older versions of binaries with newer versions of those binaries. The older binaries are already replaced, so there is no disk space consumed by older/earlier versions of those binaries.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, October 29, 2018 8:40 PM
  • I have been tasked with cleaning up C drive space on our servers and one of the recommendations was to remove windows updates that have been superseded. 

    'remove updates that have been superseded', isn't a thing. endpoints don't keep copies of the payloads from superseded updates. you can't recover any drive space on endpoints by doing this, because there is no drive space being consumed by this scenario.

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, October 29, 2018 8:42 PM
  • Thanks, that makes a lot of sense as far as this not being a viable option to recover drive space. But the issue of an update not being removed remains.
    Monday, October 29, 2018 8:56 PM
  • Thanks, that makes a lot of sense as far as this not being a viable option to recover drive space. But the issue of an update not being removed remains.

    I've not had to Approve for Removal for quite a long time, but last time I did, it worked fine?

    Some updates are not flagged/classed as removable (like the SSU for example), but I can't recall if such flags cause the WSUS console to disable the removal option. If you view the metadata of an example problematic update, does that metadata indicate if removal is not-allowed?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, October 30, 2018 8:01 AM